System and method providing usage analytics for a mobile device

ABSTRACT

A system and method for obtaining usage information for selected applications running on a mobile device. A VPN engine initiates a VPN connection for each selected application when the mobile device is operating in cellular connectivity mode. This results in all data transmitted and received by the mobile device to pass through the VPN connection. A VPN platform can thus identify usage information of the particular application for the particular mobile device.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No.15/654,700 filed on Jul. 20, 2017, which application, along with thefollowing United States Patents and Patent Applications are incorporatedherein in their entireties:

U.S. Pat. No. 9,332,408

U.S. Pat. No. 9,332,425

U.S. Pat. No. 8,605,870

U.S. Pat. No. 9,332,128

U.S. Pat. No. 9,648,165

U.S. patent application Ser. No. 14/726,596

U.S. patent application Ser. No. 14/727,559

U.S. patent application Ser. No. 14/727,837

U.S. patent application Ser. No. 14/727,864

U.S. patent application Ser. No. 15/081,822

U.S. patent application Ser. No. 15/081,910

U.S. patent application Ser. No. 15/081,916

U.S. patent application Ser. No. 15/470,867

BACKGROUND

The new buzz word in the high-tech business sector is BYOD, which is anacronym for Bring Your Own Device. What this means is that an employeewill use their own device for work activity. Companies are embracingthis mode of operation for several reasons, such as cost savings,improved productivity, and improved employee morale. The cost savingsare realized in that employers do not have to purchase the equipment fortheir employees but rather, allow the employees to use devices that theyhave purchased for their own personal use. The companies can thenpurchase software enhancements for the employee devices and avoid theexpense of purchasing new devices as well as maintaining the devices.

One of the technology arenas that is particularly popular in BYODsettings is the smart phone arena. By allowing an employee to use theirown smart phone for work, the employer can simply set up a program toreimburse the employee for the portion of usage that is work related.

The applicant of the present application for patent has developed asecond line technology that enables a smart phone to include a secondcellular/wifi line. The above-referenced and incorporated applicationspresent various embodiments and aspects of this technology. When asecond line service is installed on a smart phone, one of the numbers onthe smart phone can be used for personal purposes while the other can beused for business or some other purpose.

Implementing or expanding a formal BYOD program is a critical componentof today's enterprise mobile agenda. Forward-looking companies recognizethat a more mobile workforce is a business necessity, and the prospectof increased productivity, agility, cost-efficiency, and employeesatisfaction is driving a growth in the BYOD market. A second lineservice empowers employees to work more productively on their preferreddevice, while saving companies time and money as they mobilize theirworkforce with BYOD. However, one of the biggest challenges of a BYODprogram faced by enterprises is how to fairly compensate employees forthe data and communication costs for their use of personal devices forcompany related activities. According to Forrester (as of the filing ofthis application), 54 percent of U.S. information workers' pay theirentire mobile phone data bill for phones they use for work, while 19percent say their company pays the bill directly, 7 percent say they arereimbursed and 13 percent receive partial reimbursement.

While an enterprise may pay a fixed stipend on a monthly basis or basedon a wild estimate, this strategy may not be reflective of the trueusage for work related activities and the enterprise may end up payinghundreds of thousands of dollars. Any solution should make sure theemployee privacy is honored in that the employee's personal activity onthe device is not tracked. Yet another associated challenge is to makesure that an employee is not able to spoof usage in order to charge anincreased reimbursement from the employer.

What is needed in the art is a technique to provide billing andanalytics pertaining to the voice, text and data usage of the secondline. Advantageously, such a solution would greatly improve anemployer's ability to monitor and reimburse business expense usages of aBYOD device. Such technology is useful for both BYOD as well as ChooseYour Own Device (CYOD) applications. Further, the technology may also beused in a Company Issued Personally Enabled (COPE) setting as well.

SUMMARY OF THE DISCLOSURE

A method and system are described monitoring, metering, collecting andprocessing usage information of mobile devices, such as BYODs. Thevarious embodiments presented herein and equivalents thereof arereferred to as an analytics system. The operations of the variousanalytics systems can vary depending on whether the analytics system isoperating in conjunction with an iOS based device or an ANDROID baseddevice. However, in general, embodiments of the analytics system operateto collect data usage attributed to certain applications or apps runningon a particular target device. A goal of the various embodiments is toallow billing entities, enterprises or individual users the ability tobifurcate data usage between business and personal use, or otherwiseseparate out and classify different types of data usage.

In a particular embodiment, an analytics system is described within theenvironment of a BYOD running an multi-line service (“MLS”) applicationand one or more other applications that an enterprise wants to monitor.For instance, in a BYOD scenario, a user may use his or her personaldevice for business purposes and the enterprise may want to reimbursethe user for the business related usage. The MLS application presentedherein provides direct information feed into a platform (MLS platform)for tallying the usage associated with the MLS application. Thus, anenterprise can request a user to load the MLS application on theirpersonal device and have the personal device to then include a businessrelated phone number. The disclosed MLS application monitors and metersthe cellular minutes consumed, as well as any cellular data and this canbe used for billing purposes.

However, in some circumstances, an enterprise may also require a user toconduct extensive web searching or utilize other apps that consume data.In various embodiments of the analytics system, this usage is monitoredand metered through a VPN connection through a VPN platform. Thoseskilled in the art will realize that a VPN connection provides a secureand private virtual connection between a device and another entity but,this technology is also exploited by the various embodiments to monitorand meter data usage. The VPN platform can then provide the usage dataof the monitored apps to the MLS platform, which can consolidate thedata to identify the total usage to be attributed to the enterprise.

The analytics system can be composed of a combination of componentsdistributed across a mobile platform and a server platform. Thecomponents operate together to collect usage data associated with amobile device and then provide the data in raw or formatted forms.

BRIEF DESCRIPTION OF THE DRAWINGS

In the Figures, like reference numerals refer to like parts throughoutthe various views unless otherwise indicated. For reference numeralswith letter character designations such as “102A” or “102B”, the lettercharacter designations may differentiate two like parts or elementspresent in the same figure. Letter character designations for referencenumerals may be omitted when it is intended that a reference numeralencompass all parts having the same reference numeral in all figures.

FIG. 1 is a high level diagram illustrating components of an exemplaryenvironment in which the analytics system can operate.

FIG. 2A illustrates a dashboard view of the usage information for acurrent cycle,

Sep. 1, 2016 to Sep. 30, 2016 210.

FIG. 2B illustrates a reporting view of a billing statement for a periodof Sep. 1, 2016 to Sep. 30, 2016.

FIG. 2C is a screen shot illustrating exemplary aggregate reports.

FIG. 2D is a screen shot illustrating usage information of individualusers or subscribers. For instance, of the 62 active subscribers in FIG.2A, usage data for 6 specific subscribers is illustrated in the userusage chart 260.

FIG. 3A is an exemplary screen shot of a dialer function of an MLS app.

FIG. 3B is an exemplary screen shot of a contacts or address bookfunction of an MLS app.

FIG. 3C is an exemplary screen shot of the recent call history for anMLS app.

FIG. 3D is an exemplary screen shot of the message history for an MLSapp.

FIG. 4 is a functional diagram of the general platform that can beutilized as the MLS platform in various embodiments.

FIG. 5 is a block diagram illustrating an exemplary high-levelarchitecture of the how the usage information can be captured.

FIG. 6A illustrates the home screen 600 of the iOS device is presentedand showing the presence of the various apps including AIRWATCH agent602, AIRWATCH catalog 604, PULSE SECURE VPN client 608, SALESFORCE 610and the MLS App 612 with the label MOVIUS.

FIG. 6B illustrates a second screenshot 620, which shows the SAFARI Apprunning on the iOS device.

FIG. 6C illustrates a third screenshot 630, which shows the SALESFORCEapp 610 running on the iOS device. Examination of the notification bar622 shows that the VPN is established as indicated with the VPN statustag 632.

FIG. 7A illustrates home screen 700, which displays various apps thatare installed on the ANDROID based device.

FIG. 7B illustrates a screen shot indicating further notificationdetails of the VPN starter agent and PULSE SECURE client.

FIG. 7C illustrates the home screen 730 indicating in the notificationbar 722 that the VPN starter agent is active 732 and the PULSE SECUREapp is active 734.

FIG. 8 is a functional block diagram of the components of an exemplaryembodiment of a system, device or sub-system that could operate one ormore components of the analytics system or devices or systems that theanalytics system interfaces to or interacts with during operation.

FIG. 9 is a flow diagram illustrating exemplary steps that a VPN starterengine can be perform in various embodiments.

FIG. 10 is a flow diagram illustrating exemplary actions that can betaken by an exemplary embodiment of the analytics system.

DETAILED DESCRIPTION

The present invention is directed toward the field of usage monitoring,and more specifically, towards an analytics system that operates tomonitor and meter data, minutes and other usage of cellularcommunications resources and use this information for the provision ofother services, such as billing services.

Overview

In various embodiments of the analytics system, a suite of products canbe employed to obtain statistics and metering of how much data, minutesor other resources are used by or associated with a second line servicerunning on a mobile platform. For example, suppose employee George worksfor Acme Phone Company and Acme Phone Company has a BYOD environment. Assuch, employee George uses his own mobile device for work relatedoperations such as calls, texts and data. The Acme Phone Company in turnwants to reimburse employee George for any and all business relatedusages of his personal device. In some situations, a company simplyprovides a stipend, such as $50 as a non-limiting example, to theiremployees as an estimated amount to cover any business usage of theemployee's personal device. In other situations, a company may reimbursethe employee based on a percentage of usage, such as 40% of theemployee's bill. Yet again, some companies may simply pay the employee'sentire usage bill in exchange for the employee using their personaldevice. The various embodiments of the analytics solution presentedherein enable a company to reimburse an employee for the exact amount ofbusiness usage of the employee's personal device.

Further, advantageously, the various embodiments of the analyticssolution presented herein enable employers to not only know how muchbusiness usage is made by the employee, but also to correlate theemployee's usage with how much they are selling or other performancemetrics. For instance, it may be useful for a company to know that ifemployee George spends X minutes a day in calls to sales leads, that onthe average this activity results in obtaining $Z in sales. Further, ifemployee George spends M minutes a day in calls to leads, this activityon the average results in obtaining $P in sales. This information canhelp predict employee George's expected performance and to determine theROI for certain activity.

As such, the various embodiments of the analytics system providemonitoring and metering. Monitoring aspects of the various embodimentsoperate to determine what a user is doing, who they are calling, etc.Metering aspects of the various embodiments operate to determine howmuch data or how many minutes are being consumed by a user.

Embodiments of the analytics system may provide differing levels ofanalytics. For instance, one embodiment may offer basic analytics whileanother embodiment may offer advanced analytics. Further, someembodiments may include multiple levels of analytics that are enabled ordisabled based on particular criteria, such as credits earned by a user,payments made, etc.

As a non-limiting example, an analytics system may provide basicanalytics that are limited to data usage around the communications app,such as a second line service app, including calls, data and textstransmitted/received using the second line service app.

As another example, an analytics system may provide further or advancedanalytics. For instance, an embodiment may be deployed for an enterprisethat imposes particular operating requirements on it's employees. Suchrequirements may include requiring the employees to utilize a particularapp, such as an email app, calendaring app, etc. Thus, the employees ofthe enterprise are required to install and utilize such apps on theirBYOD. Further, the enterprise may desire to reimburse employees for thedata usage related to these particular apps. In the context ofreimbursement, current regulations dictate that metering is to occur ata cellular infrastructure location, such as an MTSO, not at anindividual client device. The regulation is imposed because the clientdevices can be hacked and/or spoofed to modify the reported amount ofdata usage.

Data metering within the cellular system can be accomplished through theuse of a Virtual Private Network (“VPN”). In essence, when anapplication is to be metered, that application is associated oraffiliated with a VPN such that any data transmitted or received for themetered application is passed through the VPN to the PSTN.

As a non-limiting example, when an application is launched on a mobiledevice, the

Remote Authentication Dial-In User Service (“RADIUS”) protocol can beutilized to meter the data usage. When a metered application islaunched, a VPN can be manually or automatically opened and metering canensue. Thus, the data usage for that particular application can betracked.

These and other embodiments and features are presented in greater detailin the following text.

Exemplary Environment

The various embodiments of the analytics system solve the challengesassociated with data metering in a BYOD environment. Throughout thisdescription, a particular solution for a particular environment ispresented for illustrative purposes. However, it should be appreciatedthat aspects of the present invention can be modified and implemented indifferent configurations for different environments and the illustratedexemplary embodiments should not be construed as limitations on theinvention.

FIG. 1 is a high level diagram illustrating components of an exemplaryenvironment in which the analytics system can operate. Namely, theillustrated environment includes the components of a system forproviding a second line service (“SLS”) or a multi-line service (MLS) toa user of telecommunications device (“TD”).

The system 100 operates to provide a second line service to a user of TD110. TD 110 is also associated with a primary phone number assigned toit by a primary service provider, as is understood by one of ordinaryskill in the art. A subscriber to a multi-line service (“MLS”) offeredthrough exemplary system 100 may receive calls at TD 110 that aredirected to either of the primary phone number provided by the primaryservice provider or a secondary phone number (“MLS phone number”)provided by the MLS platform 115.

In general, any call directed to either of the primary phone number oran MLS phone number are transmitted from a third party TD 120 (which mayor may not be a subscriber to the MLS) to the subscriber TD 110 by waycommunications network 125. Notably, communications network 125envisions any and all networks for transmitting and terminatingcommunications between telecommunications devices such as, but notlimited to, cellular networks, PSTNs, cable networks and the Internet.Methods for effecting the transmission of data across communicationsnetwork 125 from one device to another, including call setups,terminations and the like are understood by those of ordinary skill inthe art of data transmission.

A call made from a third party TD 120 to the primary number associatedwith subscriber TD 110 is transmitted across communications network 125and routed to subscriber TD 110, as is understood in the art. The radiotransceiver 104, if the TD 110 is a portable and wireless device,enables the receipt and transmission of signals to and from subscriberTD 110. The call signal may include the calling line identification(“CLID”), i.e. the phone number, associated with third party TD 120 suchthat when the call is received at subscriber TD 110, the CLID may bedisplayed for the benefit of the subscriber on display component 103.Notably, although the exemplary embodiments described in the presentdisclosure use the CLID as an example of data that may displayed for thebenefit of the user of a subscriber TD 110, it will be understood thatany data associated with the third party TD 120, subscriber TD 110, MLSplatform 115 or the like may be rendered for the benefit of the user ofthe system 100 and, as such, only describing that the CLID is displayedwill not limit the scope of what is envisioned by the disclosure.Moreover, it is envisioned that any data uniquely associated with a callto a primary number or an MLS number may be displayed for the benefit ofa subscriber to the system 100.

Returning to the FIG. 1 illustration, a call made from a third party TD120 to an MLS number associated with subscriber TD 110 is transmittedacross network 125. The network 125 recognizes where the call needs tobe routed based on the called number (the MLS number associated with thesubscriber) and routes the call to MLS platform 115. MLS platform 115thus effectively intercepts the call, determines that the call wasintended for subscriber TD 110 and then forwards the call to subscriberTD 110. In this way, while a call directed to a primary numberassociated with subscriber TD 110 is routed directly to subscriber TD110, a call directed to a second line number associated with subscriberTD 110 is routed to MLS platform 115 instead. Once received at the MLSplatform 115, a query of central MLS database 116 by redirection module117 may determine that the call from third party TD 120 was meant forthe second line number associated with subscriber associated with TD110. Once the determination is made, redirection module 117 may modifythe call data to include data that reflects its identification as a callfor the second line number and then forward the call to the primarynumber associated with subscriber TD 110.

Because the call includes data identifying it as a call to the secondline number associated with subscriber TD 110, MLS module 105 mayintercept the incoming call, or otherwise be injected into the callprocessing activity for the call, and then leverage data stored in localMLS database 106 to render it in such a way that the user or subscriberassociated with TD 110 knows that the call is for the second line numberas opposed to the primary number. The MLS module 105 is designed to workwith radio transceiver 104 and any stored or retrievable content inlocal MLS database 106 to terminate a call to a second line number,render associated data and provide services uniquely associated with thesecond line number such as, but not limited to, dedicated voicemail,ringtones, caller ID, automated responses, etc.

It should be appreciated that the analytics system can be embodiedwithin an app loaded onto a mobile device, within the platform, such asthe MLS platform, or distributed among these and other platforms.Embodiments of the analytics system can be specifically deployed to workin conjunction with the provision of a multi-line service applicationand a multiline service platform environment, as illustrated in FIG. 1,to provide granular, real-time insights into a user's voice, text, anddata usage. The various embodiments of the analytics system can operateon both iOS and Android platforms. The embodiments of the analyticssystem support collection of data usage by enterprise apps underdifferent models of a BYOD program of an enterprise. An enterprise mayalready be using an Enterprise Mobility Management (EMM) solution, suchas Airwatch, MobileIron, Good etc., to manage applications and devicessupported by the enterprise. The various embodiments of the analyticssystem, such as an embodiment operating in the exemplary environmentincluding the platform powering the MLS app and analytics system,integrates with such EMMs to collect near-real time usage informationfor apps managed by the enterprise. The MLS platform 115 can alsocollect usage information in scenarios where an EMM is not in place (forexample for small businesses where a full blown EMM is an overkill) asexplained later in this specification.

Careful demarcation of usage for work related usage is made and only theportion used for the work related activities is reported. Usageinformation is reported on both a per-employee basis and an aggregatebasis across all users or groups of users. Employers can use theinformation from the analytics system in a wide variety of ways,including but not limited to:

-   -   reimburse the employee for the work related usage based on a        fixed rate per minute, message or byte as the case may be    -   integrate the usage information with a carrier to directly        compensate the employee for the usage, the usage information can        be sent directly to carriers using the industry standard        Diameter Gy protocol    -   gain insights into usage of voice/messaging/data by the employee        for work related activities provided as business intelligence        reports, such as insights into how much time a sales team spends        on calls during a work day

Generation of Usage Data

The various embodiments of the analytics system offer granular,real-time insights into employees' voice, text, and data usage. Thisusage data can be reported in a variety of manners. The analytics systemcan generate a variety of reports including user-friendly graphs andcharts, as well as downloadable the usage information such as csv filesthat can be incorporated or imported or otherwise integrated into othersystems.

FIGS. 2A-2D are exemplary screenshots that could be provided from anexemplary embodiment of the analytics system. The usage data in suchembodiments can be presented in real time (or near real time) graphs anddashboards and can be customized per day or per billing cycle. Bothindividual user data and aggregate data can be made available in suchembodiments. FIG. 2A illustrates a dashboard view of the usageinformation for a current cycle, Sep. 1, 2016 to Sep. 30, 2016 210. Thetop of the dashboard 210 presents a cycle snapshot 212 indicating thenumber of new users added, as well as the total data usage, voice usageand message usage for the cycle. Further, the snapshot 212 includes ascroll actuator 214 to view previous cycle periods.

A second part of the dashboard includes a daily usage report 220. Thedata displayed can be selected by a pull down menu 222 and the range orday or type of report can be selected with pull down menu 224. Finally,a user status window 230 is provided to identify the total number ofusers and their current status (i.e. suspended, blocked or active).

FIG. 2B illustrates a reporting view of a billing statement for a periodof Sep. 1, 2016 to Sep. 30, 2016. The illustrated screen 240 shows thetotal minutes used, the total number of messages and the amount of dataas a pie chart or percentage illustration of what is allotted for thatperiod. As such, the full number of minutes for the period have beenutilized 242, just under 75% of the total allotted messages have beenutilized 244 and 100% of the data allotted has been used 246.

FIG. 2C is a screen shot illustrating exemplary aggregate reports. Areports menu 252 enables the selection of different report formats. Inthe selected Aggregates Reports, the aggregated usage data for thecurrently active 62 subscribers (see FIG. 2A) is broken down into voice254 and message 256. The voice usage chart 254 shows the usage data forthe selected day as including 450 minutes for outbound voice usage and111 minutes for inbound voice usage. Further, the message usage chart256 show the usage data for the selected day as including 10 outboundmessages and 7 inbound messages.

FIG. 2D is a screen shot illustrating usage information of individualusers or subscribers. For instance, of the 62 active subscribers in FIG.2A, usage data for 6 specific subscribers is illustrated in the userusage chart 260. For example, user Amit Modi is shown having consumed 58minutes for voice 262, 31 messages 264 and 26 MB of data 266.

The analytics system also generates a near-real time CDR (Call/ChargeDetail Record) feed for voice and messaging usage in the MLS app forcharging or reconciliation purposes. For data usage, the analyticssystem keeps track of the mobile data traffic sent and received byenterprise-designated applications. Mobile data usage perapplication/container is made available both to the carrier forintegration with their online charging systems using protocols such asDiameter Gy and to the enterprise using through the analytics system fortracking and control. As an alternative to Diameter Gy, the analyticssystem may be adapted to use a customized protocol for integration withother online charging systems as well.

Multi-Line Service Embodiment

An embodiment of the analytics system operating within a multi-lineservice environment include various components that work together inproviding the usage metrics for data, voice and messaging. Such anembodiment includes a multi-line application, a multi-line platform, anEMM, a VPN and a management portal.

Multi-line App. The SLS or MLS app makes it easy for enterprises to addmultiple company-managed numbers to a corporate or employee-owned mobilephone. The MLS app is an easy-to-use downloadable mobile app (availablefor both iOS and Android platforms in their respective app stores) thatallows employees to make and receive calls and messages on the managednumbers. Using the MLS app, calls can be placed/received using eitherthe TDM minutes available on the mobile device or via a data connection.The internet data connection can be provided by a carrier or by a Wi-Ficonnection.

The MLS app allows an enterprise to mobilize its workforce with a BYODprogram that's cost effective, easy to manage and compelling toemployees. The MLS app separates business and personal use forproductivity and privacy. Enterprises can use the MLS app to cutcommunications expenses by retiring under-utilized desk phones, reducingtheir investment in mobile devices, and containing service costs,including data overage charges. FIGS. 3A-3D provide screenshots of anexemplary iOS based MLS app.

The near-real time usage metrics of the MLS app, including the minutesused over TDM and data used over the carrier network and Wi-Fi arecaptured as CDRs at the MLS platform. The analytics system uses theseCDRs to display the metrics as part of its offering.

FIG. 3A is an exemplary screen shot of a dialer function of an MLS app.The dialer screen 300 includes a key pad 302 and a call button 304. TheMLS app also is illustrated as including a media switch 306 to enable acaller to switch between calling over Wifi or data, or calling usingcellular minutes. The dialer screen 300 also includes a menu tray 308 atthe bottom, which in the illustration indicates that the keypad 310 ordialer is selected. By actuating the contacts icon, the screentransitions to the contacts screen 320 as illustrated in FIG. 3B.

FIG. 3B is an exemplary screen shot of a contacts or address bookfunction of an MLS app. The contacts screen 320 includes a search window322 to insert search terms, as well as a touch activated index selection324 to index to a letter within the contacts alphabetical sort. Thecaller ID 326 associated with the MLS app is displayed above thecontacts window, which shows a window into the listing of contacts 328.In the icon tray 308, the contacts icon 312 is shown as being selected.Selecting the recents icon 328 causes the screen to transition to therecent call history screen 330 as illustrated in FIG. 3C.

FIG. 3C is an exemplary screen shot of the recent call history for anMLS app. The recent call history screen 330 includes a switch 332 toselect a display of all recent calls or all recent missed calls. An editfunction 334 can be selected to edit the recent call list, such asallowing for the deletion of an item from the list among otherfunctions. In addition, the recent call history screen 330 includes asearch window 336 to allow search terms to be entered to look forparticular recent calls. Finally, a window 338 displays a window intothe list of recent calls. Actuating the messages icon 333 in the icontray 308 results in a transition to the message history screen 340 asillustrated in FIG. 3D.

FIG. 3D is an exemplary screen shot of the message history for an MLSapp. The message icon 333 is illustrated as being selected in themessage history screen 340. The message history screen 340 includes asearch window 342 to search for the names of people or numbers ofmessages received or sent. In addition, the search window 342 can beused to search for particular content or dates of messages in someembodiments. The message history screen 340 includes a window to showthe recent messages either a window of all messages received or a windowinto the messages that satisfy the search criteria. An edit function 346is provide to enable various message editing functions such as deletingmessages.

Multi-line Platform. The MLS app is just one of several services thatcan be run on or supported by the MLS platform. Thus, although referredto as the MLS platform in the presented exemplary embodiments, it shouldbe appreciated that the platform is not limited to just supporting theMLS app. An exemplary embodiment of the MLS platform is a nextgeneration, standards-based carrier-grade platform that can be deployedglobally and support tens of millions of subscribers. As a global,cloud-based platform, the MLS platform can provide a suite of modularmobile communications services that companies can turn on or offdepending on their needs. Platform services integrate easily into anexisting communications infrastructure, so enterprises can leveragecurrent assets while adding more functionality and value for users. TheMLS platform can provide typical carrier-grade features such as highavailability, performance, and network management, statistics, logging,and reporting capabilities. It can be easily integrated into thenetwork, or network functions virtualized (NFV). The highly availablesolution is also capable of supporting geographical redundancy.

FIG. 4 is a functional diagram of the general platform that can beutilized as the MLS platform in various embodiments. The platform 400 isillustrated as supporting a work phone 402, messaging 404, visual voicemail 406, split billing 408 and call processing 410 in the illustratedexample. The platform enables communication among various supporteddevices through a cloud 412.

In the provision of the analytics services provided by the analyticssystem, the MLS platform ideally performs the following functionalities:

-   -   Hosts the MLS app.    -   Directly captures usage metrics of the MLS app.    -   Captures RAIDUS messages from a VPN server or a data proxy to        capture the data usage of the managed applications.    -   Hosts the portal that displays the usage metrics.

Enterprise Mobility Management (EMM). Some embodiments of the analyticssystem comes pre-integrated with leading EMM providers. Enterprisemobility management (EMM) is an all-encompassing approach to securingand enabling employee use of smartphones and tablets. In addition toaddressing security concerns, a strong EMM strategy also helps employeesbe more productive by providing them with the tools they need to performwork-related tasks on mobile devices. EMM typically involves somecombination of mobile device management (MDM), mobile applicationmanagement (MAM) and mobile information management (MIM). MDM focuses onlocking down mobile devices, while MAM focuses on controlling whichusers can access which applications and MIM focuses on allowing onlyapproved applications to access corporate data or transmit it. While thethree functionalities are distinct, typically a single EMM provider willoffer all three. Some of the popular EMMs that the MLS platform canintegrate with include Airwatch, MobileIron and GOOD, as a fewnon-limiting examples.

For embodiments of the analytics system, an EMM is an optional componentused to manage the apps that are tracked for data consumption. In suchembodiments, the EMM performs the following optional functionalities:

-   -   Pushes connection profiles to the managed mobile devices. The        profiles configure the apps managed by the EMM in terms of        network connectivity via VPN, proxy etc.    -   Handles the installs of the apps that are managed.    -   Handles the install of the VPN client on the mobile device.

VPN. Sources of accounting information for data used by managed apps aredevices or software components that have the ability to meter trafficusage either because traffic flows through them or because they are atthe endpoints of the data flow. The following source of accountinginformation provides usage information to the aggregation server using asuitable API/protocol:

-   -   A tunneling server that terminates data for applications that        are using the consumption-tracking feature. This tunneling        server may be a VPN server. In some embodiments, the MLS        platform may support the Pulse VPN server, although other        commercial VPN servers such Cisco AnyConnect, OpenVPN etc. may        also be utilized. From a client perspective, iOS supports a        per-app VPN approach where the VPN connection to the VPN server        is automatically established whenever a managed app is opened.        However, on Android such a mechanism does not exist and as such,        embodiments provide a background service that monitors app usage        to mimic the per-app VPN capability of iOS.

Portal. The portal is the final piece of the analytics system. Theportal provides a secure way of accessing the portal for performing awide variety of tasks including the following:

-   -   Manage users on the MLS platform and the phone numbers assigned        to the users.    -   Display work-usage reports to simplify and optimize the employee        mobile reimbursement process, giving the enterprise peace of        mind for paying employees their fair share of business-related        voice, text, and data usage. Reports are also available for        download by the EAP admin.    -   Maintain central security for enterprise mobile usage and gain        visibility into how usage is managed and accessed across your        entire organization with comprehensive auditing and reporting.    -   Configure rate plans for individual or groups of users when        traveling abroad so that when the user lands outside of their        domestic area, they are automatically switched to a new        rate-plan reducing the roaming bill.

Exemplary Operation of the Analytics System

The analytics system displays usage information of call minutes, andmessaging by the

MLS app and data usage by all the apps (including the MLS app) that theenterprise wants to meter in a BYOD scenario. FIG. 5 is a block diagramillustrating an exemplary high-level architecture of the how the usageinformation can be captured.

The operations of the analytics system in capturing and reporting usageinformation can be understood by examining the exemplary block diagramof FIG. 5. It should be understood that the analytics system may includecomponents in an MLS app 512 operating on a BYOD 510 and an applicationoperating on an MLS platform 540. Thus, when analytics system isdescribed as taking certain actions, these actions may occur as a resultof the MLS app 512 or the application on the MLS platform 540.

An exemplary BYOD 510 may include an MLS app 512 and one or more otherapps 514, as well as a VPN client 516. Voice calls and messaging mayoriginate from the BYOD 510 utilizing the MLS app 512. Both the MLS apporiginated voice and messaging traffic flow through the MLS platform 140via channel 536, irrespective of whether they are utilizing TDM(cellular minutes) or data. The usage information, namely the voiceminutes and number of messages, is directly captured at the MLS platform540 and provided to a database 542. Further, if data is used for voiceand messaging, the total data used by the MLS app 512 is also captureddirectly at the MLS platform 540.

To meter data usage by other BYOD based applications 514 other than theMLS app 512, the usage information needs to be captured by a differententity other than the BYOD 510. This is a requirement that is imposed bycellular regulatory bodies such as the FCC, CTIA etc. Hence all the datausage from these other applications needs to be directed through asecondary entity, such as a VPN server 550. The analytics system thenneeds to gain access to this data usage from the secondary entity 550.In some embodiments, to obtain the usage data, the secondary entity 550can be a VPN server hosted either by the carrier/enterprise or at acloud operated by the MLS service provider. Movius Interactive is anexample of a company that provides the MLS app, platform and cloudservices. The MLS platform 540, as part of the analytics system, maysupport several different types of VPN servers including Pulse Secure,Cisco Anyconnect, Open VPN among various others. To redirect all data ofthe managed enterprise applications or other applications 514 throughthe VPN server, the mobile device should have the corresponding VPNclient app 516 installed i.e., Pulse Secure client, Cisco Anyconnectclient etc. These VPN clients 516 need be configured to direct trafficof only the managed applications 514. Depending on whether an EMM isbeing used or not the method to configure these VPN clients differs. Theconfiguration methodology is explained in detail below.

All data from a managed app 514 is relayed through a VPN Tunnel 530existing through the public internet 520 to a VPN server 550. The VPNserver 550 can meter the data used on a per-user level. This is possiblebecause each user is assigned a dedicated certificate orusername/password credentials for encryption on the VPN tunnel 530.Because all of the data is encrypted on the VPN tunnel 530, the VPNserver 550 can only capture aggregated data usage across all themonitored applications 514. Thus, although a primary purpose of the VPNconnection is to establish the secure exchange of data, it also enablesthe ability to identify usage and thus, enable the usage to be monitoredand measured to identify the amount of data that a user is consuming.The VPN server 550 can be configured to meter the data usage and createCDRs. These CDRs can be communicated from the VPN server 550 over path552 to the MLS platform 540 via a variety of manners, such as the RADIUSprotocol as a non-limiting example. The RADIUS (Remote AuthenticationDial-in User Service) protocol is a network protocol that providescentralized authorization and accounting management for users whoconnect and use a network service. The RADIUS protocol is broadlysupported by network service providers, and as such, embodiments of theanalytics system may rely on this protocol for communication of CDRsbetween the VPN server 550 and the MLS platform 540.

All the analytics data captured is stored in a high-availabilitydatabase 542 maintained by the MLS platform 540. Thus, the usageinformation from the MLS app 512 and the usage data obtained from thesecond entity 550 can all be stored in database 542 and consolidated forreporting, billing, etc. The analytics system makes on-demand queries tothe database 542 to gather information necessary for the display ofcharts and dashboards on the portal, as well as for other applications.As a non-limiting example, the MLS platform 540 may create CDRs that canbe integrated into carriers or enterprise billing solutions. Further,the MLS platform 540 can also utilize the Diameter Gy Protocol to sendbilling information for integration with a carrier's Online ChargingSystem (OCS). When integrating with a carrier's OCS, the MLS platform540 requires that the traffic from the actual identity associated withthe mobile device's SIM card to the set of IP addresses be zero-rated.The MLS platform 540 then opens a charging session for additionalidentity enabled from the analytics system. The traffic is initiallyreceived by the MLS platform 540. Subsequently, when the MLS platform540 processes and confirms the accounting information for enterprisemobile data, this traffic will be delivered and charged to theenterprise identity.

While the VPN server 550 needs to be configured by the MLS serviceprovide or an enterprise administrator directly, the VPN clients 516 canbe configured in two different ways depending on whether an EMM is usedto manage the enterprise related apps 514 or if an EMM is not beingused. Further, there are variations depending on whether the mobiledevice is iOS or Android based.

If an EMM, such as Airwatch, MobileIron, Good, Samsung Knox etc., isused by the enterprise or carrier for the managed apps 514, the VPNclient 516 on the BYOD 510 can be configured from the EMM. A VPN client516 will need several pieces of information for configuration, alsoknown as a VPN profile, including: the URL of the VPN server 550, thetype of VPN connection (IPSec, L2TP, http etc), username/passwordcredentials or security certificate, and a whitelist of apps whose datatraffic needs to be tunneled. The use of the whitelist differs betweeniOS and Android based devices. Further, there is a difference betweeniOS and Android based devices if a VPN is established when using a Wi-Fior cellular for data connectivity.

It should be understood that the various EMMs that are available do notoperate to launch VPN connections. Because some embodiments of theanalytics system require a VPN connection to receive the required usageinformation, a mechanism to launch VPN connections for the monitoredapps 514 is necessary. In the case of iOS based devices, the VPNconnections are automatically established for white listed or monitoredapps 514. However, for ANDROID based devices, the VPN connection must beestablished by other means. In various embodiments, the process monitorsactivity on the BYOD and establishes VPN connectivity based on networkstatus changes. In some embodiments, the VPN connectivity can beestablished based on the network status (i.e. cellular or WiFi) and thestatus of the monitored apps 514 (i.e. running, active, loaded).

iOS supports a special automatic VPN feature known as the Per-App VPN.This feature can be configured only from an EMM. The Per-App VPN featureallows the EMM to provide the whitelist of apps that can use theconfigured VPN connection. Further, the VPN can be configuredautomatically start whenever a managed app 514 is opened. The VPNconnection will be disconnected after a timeout if no managed app 512 isbeing used. The VPN connection itself will be used only for the managedapps 512 in the whitelist. The other apps will not use the VPN.

FIG. 6A-FIG. 6C show a series of screenshots illustrating the steps ofconfiguring a VPN client 516 on the BYOD 510. The illustrated stepsdepict a Per-App VPN in action on an iOS based device. In theillustrated embodiment, the iOS device utilizes AIRWATCH as the EMM andPULSE SECURE as the VPN client 516. The managed app 514 is SALESFORCE.FIG. 6A illustrates the home screen 600 of the iOS device is presentedand showing the presence of the various apps including AIRWATCH agent602, AIRWATCH catalog 604, PULSE SECURE VPN client 608, SALESFORCE 610and the MLS App 612 identified by the label MOVIUS.

FIG. 6B illustrates a second screenshot 620, which shows the SAFARI Apprunning on the iOS device. The SAFARI app is not managed in the Per-AppVPN profile. This can be verified by examining the notification bar 622of the iOS device. In the notification bar 622, it can be observed thata VPN connection has not established when the SAFARI app is being used.

FIG. 6C illustrates a third screenshot 630, which shows the SALESFORCEapp 610 running on the iOS device. Examination of the notification bar622 shows that the VPN is established as indicated with the VPN statustag 632. SALESFORCE 610 has been configured, such as with the VPN clientor EMM, to be included in whitelist of apps that are managed by the VPN.Thus, when SALESFORCE 610 is being used on the iOS, because it is amanaged app, the VPN tunnel 530 is established. On an iOS device, theVPN is established irrespective of whether Wi-Fi or cellular is used fordata connectivity. However, the VPN server 540 can identify whichinterface is currently being used and analytics system captures whetherthe corresponding portion of data needs to be billed (cellular) or not(WiFi).

Similar to the iOS based devices, ANDROID based devices also support awhitelist of apps that can utilize a VPN connection, the ANDROID baseddevices can utilize an EMM to create a whitelist. However, ANDROID baseddevices do not support the automatic start of the VPN when a managedapplication is being used. The VPN connection itself will be used onlyby the managed Apps, but the user typically must manually start the VPNconnection. This is not an elegant user experience as the user must becognitive of the fact that the VPN connection must be started. Thus, thevarious embodiments of the analytics system may utilize a VPN starteragent to overcome this issue. The agent can automaticallyconnect/disconnect the VPN connection based on a predetermined set ofrules.

FIG. 7A-FIG. 7C present screenshots to illustrate the operation of theVPN starter agent operating on an ANDROID based device. FIG. 7Aillustrates home screen 700, which displays various apps that areinstalled on the ANDROID based device. In the illustrated exemplaryembodiments, the EMM running on the ANDROID device is AIRWATCH, PULSESECURE is the VPN client 516 and SALESFORCE is an exemplary managed app512. As such, the home screen 700 includes icons for the AIRWATCH agent702, the AIRWATCH catalog 704 and the PULSE SECURE VPN client 708. TheMLS app 710 labeled MOVIUS and the VPN starter agent are also installedon the device. In some embodiments, the VPN starter agent may be aseparate app that is manually started or automatically started onpowering the device. In other embodiments the VPN starter agent can beembedded within the MLS app 710 and start up whenever the MLS app 710 isactive and/or loaded.

Because ANDROID based devices do not support automatic starting of theVPN, the VPN starter agent handles the starting and stopping of the VPNconnection. Further, because it is not necessary to meter data usagethat occurs on a Wi-Fi interface, embodiments of the VPN starter agentmay turn the VPN connection on only when the device is using cellularfor the active data connectivity. When the ANDROID based device switchesto a Wi-Fi connection, the VPN connection is automatically stopped. TheVPN starter agent continuously monitors the ANDROID based device toidentify what the active network interface is at all times. Onedifference from iOS is that the VPN in the ANDROID based devices willalways be connected as long as the device is utilizing cellular dataconnectivity. Although the VPN connection itself is used only for thewhitelisted apps, the VPN itself remains connected at all times thedevice is on cellular.

The VPN starter agent can provide a notification or status indicator toindicate when the ANDROID based device is on a cellular connection. FIG.7C illustrates a home screen 730 with the VPN starter agent statusindicator 732 in the notification bar 722. In some embodiments,notification icon 732 can utilize different colors to indicate whether aVPN connection is established or not. As a non-limiting example, thestatus indicator can be a solid black icon when the VPN is establishedor a greyed out icon when the VPN is not established. When the ANDROIDbased device is on Wi-Fi, the VPN starter agent notification icon maynot be displayed at all in some embodiments, or may be a different colorin other embodiments. In addition to the notification icon 732 on thenotification bar 722, the VPN starter agent may also display helpfultext about the status of the VPN connection when the notification bar isswiped down to show notification details.

FIG. 7B illustrates a screen shot indicating further notificationdetails of the VPN starter agent and PULSE SECURE client. The screen 720is displayed when a user swipes down from the top of the screen, such asfrom the notification bar 722. In screen 720, additional statuspertaining to the VPN start agent is presented with the label MOVIUSAGENT ON 724 and indicating that metering of enterprise data is active.Further, the PULSE SECURE client 708 status 726 on screen 720 is labeledVPN Service and displays the PULSE SECURE icon. The PULSE SECURE status726 indicates that it maintains VPN connectively.

FIG. 7C illustrates the home screen 730 indicating in the notificationbar 722 that the

VPN starter agent is active 732 and the PULSE SECURE app is active 734.In the illustrated embodiment, the VPN starter agent is black indicatingthat the PULSE SECURE app data is being routed through a VPN connection530.

When an enterprise does not use an EMM to manage the apps on BYODdevices, the VPN starter agent can take on the additionalresponsibilities. For instance, in some embodiments the VPN starteragent can operate to check whether all the required components for theanalytics system to function correctly are installed on the device. Thiscan include verifying the presence of the MLS app 512, the VPN clientapp 516 (such as Pulse Secure), and all the managed apps 514. If one ormore of the apps are not installed on the device, the VPN agent canpresent a prompt to the user indicating the corresponding app is notinstalled and will direct the user to the correct page on the GOOGLEPLAYSTORE (or a different app store as required) for downloading andinstalling the app.

Once the MLS app 512 is installed on the BYOD, the user needs toon-board the app. Briefly, the on-boarding process ensures that the MLSapp 512 is configured with the correct MLS platform 540 instance andthat the assigned multiline numbers are assigned to the MLS app 512. TheVPN starter agent can check whether the MLS app 512 is on-boardedcorrectly and retrieves the on-boarding information from the MLS app. Ifthe LS app has not been on-boarded, or has not been properly orcompletely on-boarded, the VPN agent can display a helpful messageprompting the user to complete the process and/or presentinginstructions on what steps were omitted or not performed properly. Thison-boarding information is used by the VPN starter agent to connect tothe MLS platform 540 using an archive development kit (ADK) interfaceand retrieve the VPN profile information. The ADK interface provides aset of APIs for the MLS platform 540 that can be used forconfigurations. The VPN profile contains VPN configurations includingthe URL of the VPN server, the type of VPN, automatically configuredusername/password VPN credentials for the user and the whitelist ofmanaged apps 514 that need to use the VPN.

Once the VPN profile is retrieved, another responsibility is that theVPN starter agent can proceed to configure the VPN client 516 on theANDROID based device. The VPN client configuration is performed bydirectly utilizing the VPN client provided APIs.

Once the VPN client 516 is configured with the VPN profile, the VPNstarter agent can then handle the connect/disconnect of the VPN client516 exactly as described in the scenario in which an EMM is utilized.

Thus, it should be appreciated that a VPN starter agent or engine can beloaded onto a mobile device. The VPN engine can include an interface toa mobile device, wherein the operational state of the mobile device canbe determined. Further, the VPN starter engine may include aconfiguration record that contains sufficient information to identifyone or more applications to monitor (selected applications) that areloaded on the mobile device. The VPN starter engine also includes a VPNconnection controller that is configured to initiate a dedicated VPNconnection to an entity. The VPN connection controller can initiate adedicated VPN connection for each selected application. Further, the VPNconnection controller initiates the dedicated VPN connection in responseto determining that the mobile device is in the operational state ofcellular connectivity. Thus, each dedicated VPN connection is associatedwith a particular selected application. The VPN start engine is alsoconfigured to disable the dedicated VPN connections to the entity inresponse to determining that the mobile device is not in the operationalstate of cellular connectivity. As such, in operation, any data usage ofany particular selected application occurring while the mobile device isin the operational state of mobile connectivity is transmitted over thededicated VPN connection for that particular selected application to theentity.

In some embodiments, the interface to the mobile device of the VPNstarter engine can be further configured to identify when a particularselected application is active and, the VPN connection controllerperforms the action to initiate a dedicated VPN connection for thatparticular selected application proximate to the time that theparticular selected application becomes active. Thus, the dedicated VPNconnection is only established when the mobile device is in cellularconnectivity state and after the particular selected application becomesactive in such embodiments.

In other embodiments, the interface to the mobile device of the VPNstarter engine can be further configured to identify when a particularselected application is active and, the VPN connection controllerperforms the action to initiate a dedicated VPN connection only for thatparticular selected application when the particular selected applicationis active. Thus, the dedicated VPN connection is only active when themobile device is in cellular connectivity state and while the particularselected application is active.

Similarly, in other embodiments, the interface to the mobile device ofthe VPN starter engine can be further configured to identify when aparticular selected application is inactive and, the VPN connectioncontroller performs the action to disable the dedicated VPN connectionfor the particular selected application proximate to the time that theparticular selected application becomes inactive.

And even further, in other embodiments, the interface to the mobiledevice of the VPN starter engine can be further configured to identifywhen a particular selected application is inactive and, the VPNconnection controller performs the action to disable the dedicated VPNconnection for the particular selected application only when theselected application is inactive.

It should be appreciated that the VPN starter engine can be astand-alone app loaded onto and operating on a mobile device, integratedwith one or more other apps loaded onto and operating on a mobile deviceloaded onto the mobile device or be an external function that interfacesto the mobile device.

In addition, an analytic system may incorporate any of the embodimentsof the VPN starter engine. The analytics system includes a mobile deviceonto which the VPN engine is loaded. The analytics system also includesan entity that interfaces to the mobile device over the dedicated VPNconnections. Further, a reporter operating on the entity is configuredto receive the data usage of each of the selected applications runningon the mobile device. In some embodiments, an multi-line system (MLS)platform and an MLS app may be included. The MLS app is loaded on themobile device and any data usage by the MLS app runs through the MLSplatform and thus, the MLS platform obtains the usage information of theMLS app. Further, the MLS platform may interface to the entity toreceive usage data associated with the selected applications of themobile device. In such embodiments the MLS platform can be configured toaggregate the usage data of the MLS app and the usage data associatedwith the selected applications to create a usage report identifying allusage of the MLS app and the selected applications.

FIG. 8 is a functional block diagram of the components of an exemplaryembodiment of a system, device or sub-system that could operate one ormore components of the analytics system or devices or systems that theanalytics system interfaces to or interacts with during operation. Thesystem or device 800 could be used in various embodiments of thedisclosure for controlling aspects of the various embodiments. It willbe appreciated that not all of the components illustrated in FIG. 8 arerequired in all embodiments or implementations of a component but, eachof the components are presented and described in conjunction with FIG. 8to provide a complete and overall understanding of the components. Thus,the processing system illustrated in FIG. 8 could be utilized inimplementing a mobile device, an MLS app, a VPN server, an MLS platform,as well as other components or devices with which they may interface.The controller can include a general computing platform 800 illustratedas including a processor/memory device 802/804 that may be integratedwith each other or, communicatively connected over a bus or similarinterface 806. The processor 802 can be a variety of processor typesincluding microprocessors, micro-controllers, programmable arrays,custom IC's etc., and may also include single or multiple processorswith or without accelerators or the like. The memory element of 804 mayinclude a variety of structures, including but not limited to RAM, ROM,magnetic media, optical media, bubble memory, FLASH memory, EPROM,EEPROM, etc. The processor 802, or other components in the controllermay also provide components such as a real-time clock, analog to digitalconvertors, digital to analog convertors, etc. The processor 802 is alsoillustrated as optionally interfacing to a variety of elements includinga control interface 812, a display adapter 808, an audio adapter 810,and network/device interface 814. The control interface 812 provides aninterface to external controls, such as sensors, actuators, SPDT relays,the PSTN, a cellular network, pressure actuators, step motors, akeyboard, a mouse, a pin pad, an audio activated device, as well as avariety of the many other available input and output devices or, anothercomputer or processing device or the like. The display adapter 808 canbe used to drive a variety of alert elements 816, such as displaydevices including an LED display, LCD display, one or more LEDs or otherdisplay devices. The audio adapter 810 may interface to and driveanother alert element 818, such as a speaker or speaker system, buzzer,bell, etc. The optional network/interface 814 may interface to a network820 which may be any type of network including, but not limited to theInternet, a global network, a wide area network, a local area network, awired network, a wireless network or any other network type includinghybrids. Through the network 820, or even directly, the controller 800can interface to other devices or computing platforms such as one ormore servers 822 and/or third party systems 824. A battery or powersource provides power for the controller 800.

FIG. 9 is a flow diagram illustrating exemplary steps that a VPN starterengine can be perform in various embodiments. Initially the VPN starterengine 900 is loaded onto a mobile device 910. Upon being initialized,the VPN starter engine receives information identifying one or moreapplications that are loaded on the mobile device and that are to bemonitored (selected applications) 912. The VPN engine then stores theidentity of the selected applications into a record 914.

The VPN engine then interfaces to the mobile device to identify theoperational state of the mobile device 916. If the mobile device is in astate of cellular connectivity 918, then the VPN engine can initiate theestablishment of a VPN connection for each of the selected applications920.

If the VPN engine detects that the mobile device has exited a cellularconnectivity state 922, then the VPN engine can disable the VPNconnection(s) for the selected applications 924.

The VPN engine can continue to monitor the state of the mobile device916 and toggle the VPN connections as the state of the mobile devicechanges. It should be appreciated that in some embodiments, a single VPNconnection can be established for all of the selected applications ormultiple VPN connections can be established or individual applicationsor groups of applications at block 920. Likewise, in block 924, each ofthe VPN connections can be disabled. It should also be appreciated thatin some embodiments, the VPN engine may further filter the establishmentand disablement of the VPN connections based on the state of theselected applications. For example, if selected application 1 andselected application 2 are active, the VPN engine may establish a VPNconnection for these applications when the operational state of themobile device is cellular connectivity. However, if selected application3 is not active, the VPN engine may not establish a VPN connection forthat particular application. Similarly, if selected application 1 andselected application 2 are to use a single VPN connection, the VPNengine may establish the VPN connection if either selected application 1or selected application 2 is active.

FIG. 10 is a flow diagram illustrating exemplary actions that can betaken by an exemplary embodiment of the analytics system. Initially, theanalytics system runs a VPN engine a mobile device 1010. The operationof this process may include each of the processes or actions presentedin FIG. 9. An entity, such as a VPN platform interfaces to the mobiledevice and receives the data that is transmitted over the VPNconnections between the mobile device and an intended destination 1012.A reporter operating on the VPN platform receives the data andidentifies usage information for each of the selected applicationsand/or all usage date for the selected applications 1014.

In some embodiments, an MLS application may be loaded onto the mobiledevice 1016. When the MLS application is launched, the call and datatransfer information is sent directly through an MLS platform 1018. TheMLS platform then identifies the usage information of the MLS app 1020.Further, in such embodiments, the usage information obtained by the VPNplatform is provided to the MLS platform 1022. The usage data from theVPN platform and the MLS platform are then combined by the analyticssystem to generate reports, graphs, provide the information to a billingentity, etc. 1024.

Certain steps or blocks in the processes or process flows described inthis specification naturally precede others for the invention tofunction as described. However, the invention is not limited to theorder of the steps or blocks described if such order or sequence doesnot alter the functionality of the invention. That is, it is recognizedthat some steps or blocks may be performed before, after, or parallel(substantially simultaneously with) other steps or blocks withoutdeparting from the scope and spirit of the invention. In some instances,certain steps or blocks may be omitted or not performed withoutdeparting from the invention. Also, in some instances, multiple actionsdepicted and described as unique steps or blocks in the presentdisclosure may be comprised within a single step or block. Further,words such as “thereafter”, “then”, “next”, “subsequently”, etc. are notintended to limit the order of the steps or blocks. These words aresimply used to guide the reader through the description of the exemplarymethod.

Additionally, one of ordinary skill in programming is able to writecomputer code or identify appropriate hardware and/or circuits toimplement the disclosed invention without difficulty based on the flowcharts, block diagrams, screenshots and associated description in thisspecification, for example. Therefore, disclosure of a particular set ofprogram code instructions or detailed hardware devices is not considerednecessary for an adequate understanding of how to make and use theinvention. The inventive functionality of the claimed computerimplemented processes is explained in more detail in the abovedescription and in conjunction with the figures which may illustratevarious process flows or functionality.

The word “exemplary” is used herein to mean “serving as an example,instance, or illustration.” Any aspect described herein as “exemplary”is not necessarily to be construed as preferred or advantageous overother aspects.

In this description, the terms “application” and “app” may also includefiles having executable content, such as: object code, scripts, bytecode, markup language files, and patches. In addition, an “application”referred to herein, may also include files that are not executable innature, such as documents that may need to be opened or other data filesthat need to be accessed. Further, an “application” may be a completeprogram, a module, a routine, a library function, a driver, etc.

The term “content” may also include files having executable content,such as: object code, scripts, byte code, markup language files, andpatches. In addition, “content” referred to herein, may also includefiles that are not executable in nature, such as documents that may needto be opened or other data files that need to be accessed.

As used in this description, the terms “component,” “database,”“module,” “system,” and the like are intended to refer to acomputer-related entity, either hardware, firmware, a combination ofhardware and software, software, or software in execution. For example,a component may be, but is not limited to being, a process running on aprocessor, a processor, an object, an executable, a thread of execution,a program, and/or a computer. By way of illustration, both anapplication running on a computing device and the computing device maybe a component.

One or more components may reside within a process and/or thread ofexecution, and a component may be localized on one computer and/ordistributed between two or more computers. In addition, these componentsmay execute from various computer readable media having various datastructures stored thereon. The components may communicate by way oflocal and/or remote processes such as in accordance with a signal havingone or more data packets (e.g., data from one component interacting withanother component in a local system, distributed system, and/or across anetwork such as the Internet with other systems by way of the signal).

In this description, the terms “telecommunications device,”“communication device,” “wireless device,” “wireless telephone,”“wireless communication device”, “mobile device”, “BYOD” and “wirelesshandset” may be used interchangeably. With the advent of thirdgeneration (“3G”) and fourth generation (“4G”) wireless technology,greater bandwidth availability has enabled more portable computingdevices with a greater variety of wireless capabilities. Therefore, atelecommunications device (“TD”) may include a cellular telephone, apager, a PDA, a smartphone, a navigation device, a tablet personalcomputer (“PC”), or a hand-held computer with a wireless connection orlink.

In this description, the terms “call” and “communication,” in their nounforms, envision any data transmission routed across a network from onedevice to another including, but not limited to, a voice transmission, atext message, a video message, a page, etc. In one or more exemplaryaspects, the functions described may be implemented in hardware,software, firmware, or any combination thereof. If implemented insoftware, the functions may be stored on or transmitted as one or moreinstructions or code on a computer-readable medium. Computer-readablemedia include both computer storage media and communication mediaincluding any medium that facilitates transfer of a computer programfrom one place to another.

In this description, elements may be described as including an interfaceto another element. These elements may be software, firmware, hardwareor a combination of two or more. The term interface is used to describeany interaction between the elements whether the interaction includes aphysical transmission of bits or signals, passing variables or data,receiving variables or data, providing control signals, invokingapplications, modules, subroutines or the like, pausing applications,transmitting data to the elements, receiving data from the elements orotherwise interacting with the elements. As such, an interface may be aphysical connection, a port, or a set of software instructions thatresult in any of the above-listed actions or interactions. Thus, aninterface may simply include an ability to interact with anothercomponent residing on the same device, to interact with a separatedevice and/or to interact with a component residing on a differentdevice.

A storage media may be any available media that may be accessed by acomputer. By way of example, and not limitation, such computer-readablemedia may comprise RAM, ROM, EEPROM, CD-ROM or other optical diskstorage, magnetic disk storage or other magnetic storage devices, or anyother medium that may be used to carry or store desired program code inthe form of instructions or data structures and that may be accessed bya computer.

Also, any connection is properly termed a computer-readable medium. Forexample, if the software is transmitted from a website, server, or otherremote source using a coaxial cable, fiber optic cable, twisted pair,digital subscriber line (“DSL”), or wireless technologies such asinfrared, radio, and microwave, then the coaxial cable, fiber opticcable, twisted pair, DSL, or wireless technologies such as infrared,radio, acoustic and microwave are included in the definition of medium.

Although selected aspects have been illustrated and described in detail,it will be understood that various substitutions and alterations may bemade therein without departing from the spirit and scope of the presentinvention, as defined by the following claims.

What is claimed is:
 1. A method for collecting usage data of one or moreselected applications loaded on a mobile device, the method comprisingthe actions of: loading a virtual private network (“VPN”) engine onto amobile device; initiating VPN connections for each of a plurality ofactive applications if the mobile device is connected to the cellularnetwork; and recording the data usage of each active application overthe VPN connection associated with that active application.
 2. Themethod of claim 1, wherein the action of initiating VPN connectionsfurther comprises initiation a dedicated VPN connection for each activeapplication.
 3. The method of claim 2, further comprising terminating aparticular dedicated VPN connection when it is detected that aparticular application switches from being active to being inactive. 4.The method of claim 1, further comprising the action of monitoring thedata transmitted over the VPN connections to generate data usageinformation for each of the active applications.
 5. A method to monitornetwork usage and collect analytics using a virtual private network(“VPN”) starter engine operating in conjunction with a mobile device,the method comprising: detecting the mobile device being connected to acellular network or to a WiFi network; identifying when a monitoredapplication loaded on the mobile device becomes active; initiating a VPNconnection to a destination for the monitored application in response todetermining that the mobile device is connected to the cellular networkand the monitored application is active; whereby any data usage of themonitored application occurring while the mobile device is connected tothe cellular network is transmitted over the VPN connection to thedestination and can be included in the analytics.
 6. A processorexecuting a virtual private network (“VPN”) starter engine and operatingin conjunction with a mobile device, the VPN starter engine comprising:an interface to a mobile device that enables the VPN starter engine todetermine if the mobile device is connected to a cellular network or aWiFi network; a controller that establishes a VPN connection for anactive monitored application in response to determining that the mobiledevice is connected to the cellular network; the VPN starter enginefurther configured to collect data usage of the active monitoredapplication occurring while the mobile device is connected to thecellular network to be provided for the generation of billing.
 7. Theprocessor executing the VPN starter engine of claim 6, wherein theinterface to the mobile device further enables the VPN starter engine toidentify when the monitored application becomes active.
 8. The processorexecuting the VPN starter engine of claim 6, wherein the interface tothe mobile device further enables the VPN starter engine to identifywhen the monitored application is active and, the VPN connectioncontroller performs the action to initiate a VPN connection only whenthe monitored application is active.
 9. The processor executing the VPNstarter engine of claim 6, wherein the interface to the mobile devicefurther enables the VPN starter engine to identify when the monitoredapplication is inactive and, the VPN connection controller performs theaction to disable the VPN connection proximate to the time that themonitored application becomes inactive.
 10. The processor executing theVPN starter engine of claim 6, wherein the interface to the mobiledevice is further configured to identify when the monitored applicationis inactive and, the VPN connection controller performs the action todisable the VPN connection only when the monitored application isinactive.
 11. The processor executing the VPN starter engine of claim 6,wherein the VPN connection enables all data from the active monitoredapplication to pass through a VPN tunnel on a public network to a VPNserver that can meter the date on a per-user level.
 12. The processorexecuting the VPN starter engine of claim 11, wherein the VPN server isconfigured to meter the data usage and create call data records (“CDR”).13. The processor executing the VPN starter engine of claim 12, whereinthe VPN server transmits the CDRs to a platform for processing bills.